Note that this TFTP issue will also be present for Microsoft RIS services.

I use Ghost with PXE boot to Net-Boot a workstation into a DOS environment with a mapped
network drive-letter, then run Ghost and GhostWalk from the command line. This solution
works very nice for customers with relatively low count workstations, for maintaining
images of the workstation. No dealing with floppies (PXE BIOS machines), and the
flexibility to quickly choose which image to use, and choose upload or download. With
very few different hardware configurations at the workstations, it is very easy to
maintain 2 or 3 images.

Problem was, I could not get PXE to boot and TFTP correctly. I kept getting at the
client: "TFTP..." (a series of progressing dots), and sometimes "PXE-35 error". And in
the 3Com TFTP Server console, I could see the TFTP request come in, but the send would
"request timed out".

Once I figured out the workstation PXE boot issue was due to TFTP failing, I used another
machine already booted into Windows to troubleshoot/test TFTP from the command prompt.
Interestingly, I could TFTP from the same machine the TFTP Server was running, but
not from another machine. So I figured it must be a firewall issue. (I discovered
TFTP.exe was not on the SBS machine, so I copied the exe file from the System32 directory
of another machine, I must not have all the ResKit and SupportTools installed on this SBS
machine).

After considerable trial and error (and locking myself out of Remote Desktop requiring a
trip to on-site), I was able to figure out the fix. For those that are interested, the
biggest frustration is that Microsoft ISA Server 2004 has the TFTP protocol pre-defined,
but it is apparently intended for TFTP client, and will NOT work for TFTP Server.

Give credit where it's due, I was pointed in the right direction with this article:
RIS on SBS 2003 + ISA 2004, but I needed to use a different range of ports. (I
needed to begin the port range at 69 instead of 1024 per the article, another hour
figuring that out). It is worth noting that perhaps port 69 should be added as an
additional range (now most UDP ports are open to the LAN), but I wasn't going to refine
further.

To get TFTP Server to respond to clients on the LAN, in ISA Server 2004 I created a new
protocol definition and then added a rule allowing this new protocol.

Quick side note: the referenced article indicates to restart ISA, but considering
I had to get on-site to the console after locking myself out of Remote Desktop, I did
not restart the ISA service. However, the ISA service did essentially restart when I
rebooted the server, so perhaps this is needed.
Remote Desktop Lock-out prevention: before restarting a service that may lock-out
Remote Desktop, I began using the "shutdown.exe" command line utility to initiate a
shutdown & restart in 300 seconds (5 minutes) BEFORE restarting a potential
lock-out service. If I do not get locked-out, then it is very easy to abort the shutdown
& restart command.

Hopefully, this write-up will save someone all the headache I suffered.